Playback peril for remote working technology remediated

Cisco has warned that vulnerabilities in its Webex web conferencing and video conferencing applications pose a remote code execution (RCE) risk.

Users of Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows are urged to apply patches, released by the networking giant on Wednesday.

The security flaws stem from “insufficient validation of certain elements within a Webex recording that is stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF)”, Cisco’s advisory explains.

Playback peril

Cisco Webex Meetings services can be set up to allow users to store meeting recordings online and download those recordings as ARF files. These services can also be configured to allow users to record meetings directly on their local computers as WRF files.

Cisco Webex Network Recording Player and Cisco Webex Player are used to play back ARF files, respectively.

Attacks could be tricking prospective marks into opening a malicious ARF or WRF file on a system running vulnerable versions of the web conferencing software.

The attack would involve an element of social engineering since it would involve either tricking victims into visiting a booby-trapped website or opening the attachment of a phishing email.

Both tactics are well practiced attacks tricks, so the risk posed by the vulnerability are all too real.

Bad timing

The timing of the Cisco Webex security flaw comes at a particularly bad time when many organizations worldwide are considering greater use of remote working technologies such as video conferencing in response to the coronavirus epidemic.

The vulnerabilities mean that Webex Network Recording Player and Webex Player releases earlier than Release 1.3.49 need to be patched.

Cisco Webex Meetings prior to WBS 39.5.17 or WBS 39.11.0 also needs to be updated.

Cisco Webex Meetings Server, the private cloud-based releases of the technology, earlier than Release 3.0MR3SecurityPatch1 and 4.0MR2SecurityPatch2 are also in need of security triage.

Cisco credited Francis Provencher, working with Trend Micro Zero Day Initiative, and Kexu Wang of Fortinet’s FortiGuard Labs for the CVE-2020-3127 and CVE-2020-3128 vulnerabilities in Cisco Webex.

In related patching developments, Cisco also released a patch for a lesser information disclosure vulnerability in its macOS X Webex client on Wednesday.

Security weaknesses in the multicast DNS protocol configuration of Cisco Webex Meetings Client for MacOS could allow an “unauthenticated adjacent attacker to obtain sensitive information about the device on which the Webex client is running”, Cisco explains in an advisory.

READ MORE Microsoft Exchange Server admins urged to treat crypto key flaw as ‘critical’